At 10:53 AM -0700 6/18/97, Jonathan S. Shapiro wrote:
>> >MarkM has proposed that there be some canonical way to ask a key to
>> >describe its protocol for purposes of dynamic binding. I'm inclined
>> >to agree with this, though it's not clear if it should be a
>> >semi-standard order code or by way of a type registry.
>>
>> KeyKOS's "new command system" used the KT value (alleged type). But
>> KeyKOS never claimed to provide type safety (at that level). The
>> only claim for type safety was buried in the "offical" 3rd party
>> verification concept.
>
>As I undestand it, MarkM is after something a bit different. He would
>like a canonical mechanism by which a language run-time system can
>bind to a newly received capability, building a type-checkable
>interface to the object. He assumes that the object is cooperating
>with this.
>
>What's desired is a way for the caller (in this case the language
>runtime) to ask the object:
>
> what are all your order codes, by what (human) names should
> they be known, and what are the associated arguments and
> return values.
>
>I gather that the goal is to avoid any need to build all potential
>objects into the run-time system in advance. An unusual quality of
>his request is that he wants the objects to support it themselves
>(including kernel objects).
>
>The end result is similar in flavor to Microsoft's COM model, and I
>wonder if we shouldn't look at that a bit.
The Java reflection API's offer this functionality. They have the advantage that all the necessary information is contained in the .class files (the object code of the Java virtual machine). One possibility is to have a conventional order code which returns the information. In KeyKOS we kept a database of KT value ==> orderCode/parameter information which could be dynamically updated.
One place you must be careful of here is Trojan horses. It is very attractive to say the some keys are passed "invisibly". Space bank and meter come immediately to mind. If the object can ask for keys invisibly, then it can perform Trojan horse attacks. If a separate database is used, then whoever can update that database can install Trojan horses. If users must always specify all the keys that are passed, then they are always buried in mostly irrelevant detail. We never came up with a good solution.
Bill Frantz | The Internet was designed | Periwinkle -- Consulting (408)356-8506 | to protect the free world | 16345 Englewood Ave. frantz@netcom.com | from hostile governments. | Los Gatos, CA 95032, USA